Query Details
Connections To Abused TL Ds Device Network Events
Query
//Get spamhaus TLD list
let spamhausTLDS = (externaldata(['TLD']: string, ['Badness Index']: string)
[h@"https://raw.githubusercontent.com/cyb3rmik3/Hunting-Lists/main/spamhaus-abused-tlds.csv"]with (format="csv"))
| extend TLD = iif(TLD startswith ".",replace_string(TLD,".",""),TLD)
| where TLD != "TLD";
//Get info-sec TLD list
let infosecTLDs = (externaldata(TLD: string)
[h@"https://www.info-sec.ca/tld-block.txt"]with (format="csv"))
| where TLD !startswith "#";
//Union lists together
let list_tlds = union spamhausTLDS, infosecTLDs
| project TLD;
//Exclude potential noise by uncommenting line below
//| where TLD !in ("live","info","link")
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where isnotempty(RemoteUrl)
//Remove start and end of URL
| extend RemoteUrl = iif(RemoteUrl startswith "https://",replace_string(RemoteUrl,"https://",""),iif(RemoteUrl startswith "http://",replace_string(RemoteUrl, "http://",""),RemoteUrl))
| extend slashindex = indexof(RemoteUrl, "/")
| extend RemoteUrl = iif(RemoteUrl contains "/",substring(RemoteUrl, 0, slashindex),RemoteUrl)
| extend tld = tostring(split(RemoteUrl, ".")[-1])
| extend VT_Link = strcat("https://www.virustotal.com/gui/domain/",RemoteUrl)
| extend Abuse_Link = strcat("https://www.abuseipdb.com/check/",RemoteIP)
//Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match
| where tld in~ (list_tlds)
| project-away slashindex
| project-reorder TimeGenerated, tld, VT_Link, Abuse_Link, RemoteUrl, InitiatingProcessAccountUpn, DeviceName
| extend Host_0_HostName = DeviceName
| extend Account_0_Name = InitiatingProcessAccountUpn
| extend URL_0_Url = RemoteUrlExplanation
This query is designed to identify potentially malicious network connections by analyzing top-level domains (TLDs) from network events and comparing them against known lists of suspicious TLDs. Here's a simplified breakdown:
-
Load Suspicious TLD Lists:
- It retrieves two lists of suspicious TLDs from external sources:
- Spamhaus TLD List: A CSV file containing TLDs and their "Badness Index."
- Info-Sec TLD List: A text file with TLDs to be blocked.
- It cleans up the TLDs by removing any leading dots and excludes headers or comments.
- It retrieves two lists of suspicious TLDs from external sources:
-
Combine TLD Lists:
- The two lists are combined into a single list of TLDs for further analysis.
-
Filter Network Events:
- It filters network events to include only successful connections with non-empty URLs.
-
Extract TLD from URLs:
- It processes the URLs to extract the TLD by:
- Removing "http://" or "https://" prefixes.
- Trimming URLs to remove any path after the domain.
- Extracting the TLD from the domain.
- It processes the URLs to extract the TLD by:
-
Check Against Suspicious TLDs:
- It checks if the extracted TLDs from network events match any TLDs in the combined suspicious list.
- If a match is found, it keeps the record for further analysis.
-
Enhance Output:
- It adds links to VirusTotal and AbuseIPDB for further investigation of the domain and IP.
- It organizes and renames some fields for clarity.
The query ultimately helps in identifying network connections to domains with suspicious TLDs, providing additional context for security analysts to investigate potential threats.
Details
Jay Kerai
Released: November 11, 2024
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents
Operators
letexternaldatah@withformatextendiifstartswithreplace_stringwhereunionprojectproject-awayproject-reorderisnotemptyindexofcontainssubstringtostringsplitstrcatin~